CN103902453A - Embedded equipment security detection method based on components - Google Patents
Embedded equipment security detection method based on components Download PDFInfo
- Publication number
- CN103902453A CN103902453A CN201410132944.4A CN201410132944A CN103902453A CN 103902453 A CN103902453 A CN 103902453A CN 201410132944 A CN201410132944 A CN 201410132944A CN 103902453 A CN103902453 A CN 103902453A
- Authority
- CN
- China
- Prior art keywords
- detection components
- package base
- pedestal
- detection
- detecting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses an embedded equipment security detection method based on components. The method has the advantages that by the design based on the components, a detecting system has better extensibility and compatibility, each detecting tool and each detecting item can be made into components, and extension is facilitated; by the standard SOAP bus communication manner based on cross-platform, the system can be in butt joint with the components of tools of different languages and different platforms; by integrating different detecting components, a uniform detecting inlet platform is provided for detecting staff, and detecting flow control and data analysis of the detecting staff are facilitated; the detecting components are authenticated through digital certificates and digital signatures, accessing of illegal components can be prevented, credibility of detecting process and detecting results is guaranteed, and the detecting results are protected by digital signatures to prevent the detecting results from being tampered.
Description
Technical field
The invention belongs to computer information safe technical field of measurement and test, relate to the embedded device safety detection method based on componentization.
Background technology
Embedded system is the dedicated computer system designing for application-specific, its application is very extensive, in the system such as Internet of things system, intelligent grid all a large amount of employing embedded system, can say, embedded system has been deep into the various aspects of people's daily life.
With respect to traditional PC equipment, the problems such as the suitability of hardware that what embedded system was mainly considered is, resource occupation still less, the function of safety protection of a lot of embedded systems seldom or does not almost have, malicious attacker is easy to invade in system, and malicious attacker can implement to disturb, monitor even Long-distance Control to embedded system according to the demand of malicious attacker.In electric system etc. is important, embedded system is in occupation of greatly, once it is attacked, the regular traffic work of the system paralysis even that just can be affected, therefore, must pay attention to and solve the safety problem of embedded system.
It is the important leverage of embedded system security that embedded system security detects, and safety detection not only can be found safety problem, can also provide foundation for relevant embedded product strengthens safely.
But although current in areas of information technology, the development& testing that is directed to computing machine embedded system has very many practices, substantially all respectively becomes one.Every kind of product is due to the difference of physical structure, type of hardware, bottom layer driving, and its measuring technology all can only be confined to developed same model product.Change a kind of product, even of the same type, producer is different, and measuring technology used, testing tool and platform are all different.Therefore, at present architectonical, can be general embedded testing technology with respect to the test of software and hardware in conventional information technical field, also very immature.
Therefore, be directed to the safety detection of embedded system, in order to adapt to different detection techniques, instrument and system architecture, be necessary to build that compatibility is good, the detection platform of easy expansion, the demand detecting to meet embedded system security.
Summary of the invention
The object of this invention is to provide a kind of embedded device safety detection method based on componentization, can be integrated and the different detection components of management, for testing staff provides convenience and effectively supports the safety detection of embedded system.
The present invention adopts following technical proposals:
An embedded device safety detection method based on componentization, comprises following step:
A, first carry out safety detecting system initialization, utilize package base to generate the pedestal digital certificate and the pedestal private key that use for digital signature, pedestal private key utilizes keeper's password to be encrypted storage;
B, each detection components need to register to package base before using for the first time; The concrete steps of registration are as follows: first detection components connecting communication bus, secondly version number, the digital digest value of detection components executable file and the description document of contract-defined interface of detection components are provided to package base, last component pedestal carries out Correctness checking to contract-defined interface, if checked unsuccessfully, registration failure; If check successfully, succeed in registration; After succeeding in registration, package base is put into the description document of contract-defined interface in contract-defined interface storehouse;
The digital digest that C, pedestal private key provide detection components carries out digital signature, and this digital signature and pedestal digital certificate are returned to detection components, and detection components is all preserved each digital signature and pedestal digital certificate;
D, start detection assembly, detection components is connected with package base, detection components sends digital digest value and the pedestal digital signature of detection components to package base, package base checks whether this digest value was registered in system: if the description document of contract-defined interface is imperfect or form is wrong, return to registration failure; If the description document of contract-defined interface is complete or form does not have mistake, succeed in registration; Package base and detection components are directly carried out communication UNICOM;
After E, communication UNICOM, detection components is submitted digital signature to, and whether package base utilizes pedestal credentials check digital signature legal, if legal, package base and detection components connect, and is connected with this detection components communication otherwise disconnect;
F, testing staff describe the detected parameters of this detection components of document configuration according to interface contract, and send to detection components by package base and communication bus;
G, testing staff initiate test instruction to package base, and package base utilizes communication bus to test to detection components, and detection components sends testing result and log information to package base after detecting;
H, package base check result and log information, utilize pedestal private key to carry out digital signature to ensure testing result integrality to the result detecting, and then testing result put in database.
Described safety detecting system comprises multiple detection components, for the package base that detection components is managed and the supervisor console that system is managed and controlled, each detection components all has corresponding contract-defined interface description document; Also comprise the communication bus communicating for detection of between assembly and package base, and the database of using for store test data, described multiple detection components are connected with package base by communication bus respectively, and described package base is connected with database by supervisor console.
Described each detection components must be registered on pedestal, and provide corresponding contract-defined interface, the contract-defined interface that package base utilizes detection components to provide, can manage and control the operation of certain detection components, and can obtain test result and log information.
The described communication bus communicating for detection of assembly and package base communicates by the SOAP interface of the standard based on XML, supports affairs and session.
Described supervisor console is mainly made up of user role administration module, test item and case management module, testing result administration module, statistics and log pattern; Tester can manage work to whole embedded-type security detection platform, and tester sets up test event, writes test case, records testing result, carries out log recording and statistical study.
The description document of described contract-defined interface comprises assembly Back ground Information, address, configuration parameter information, steering order data layout and examining report descriptor.
In described step H, package base check result and log information comprise that whether package base checking testing result is complete and whether its form is effective.
Described database is MySql database, and it can provide the memory function that detects data.
Described database is Oralce database, for being suitable for the more situation of test event.
The digital certificate of pedestal described in steps A and pedestal private key adopt RSA public key algorithm to realize, and key length is not less than 2048; Described pedestal private key adopts administrator password's encryption method, be specially: first utilize SHA1 digital digest algorithm to carry out computing to administrator password, get front 16 bytes of result of calculation as key, utilize aes algorithm to be encrypted this pedestal private key, obtain the pedestal private key ciphertext after encrypting, in the time using private key, utilize aes algorithm to the close file decryption of pedestal private key.
The present invention is based on the design of componentization, make detection system there is better extendability and compatibility, each testing tool and test item can be made to assembly, convenient expansion; By the SOAP bus communication mode based on cross-platform of standard, system can be connected with the assembly of different language, different platform instrument simultaneously; Further by integrated different detection components, for testing staff provides a unified detection terrace at entrance, testing staff not only can carry out unified management to test item, use-case, can also unify detection components data layout and detect use-pattern, facilitating the control of testing staff to testing process and the analysis of data.The present invention further authenticates detection components by digital certificate and digital signature technology; prevent the access of illegal assembly; guarantee the credibility of testing process and result, utilize digital signature to protect testing result simultaneously, guaranteed that testing result can be by people for not distorting.
Brief description of the drawings
Fig. 1 is system architecture diagram of the present invention;
Fig. 2 is process flow diagram of the present invention.
Embodiment
As shown in Figure 2, a kind of embedded device safety detection method based on componentization, is characterized in that: comprise following step:
A, first carry out safety detecting system initialization, utilize package base to generate the pedestal digital certificate and the pedestal private key that use for digital signature, pedestal private key utilizes keeper's password to be encrypted storage; Described pedestal digital certificate and pedestal private key adopt
public key algorithm is realized, and key length is not less than
position; Described pedestal private key adopts administrator password's encryption method, is specially: first utilize
digital digest algorithm carries out computing to administrator password, get result of calculation before
byte, as key, is utilized
algorithm is encrypted this pedestal private key, obtains the pedestal private key ciphertext after encrypting, and in the time using private key, utilizes
algorithm is to the close file decryption of pedestal private key.
B, each detection components need to register to package base before using for the first time; The concrete steps of registration are as follows: first detection components connecting communication bus, secondly version number, the digital digest value of detection components executable file and the description document of contract-defined interface of detection components are provided to package base, last component pedestal carries out Correctness checking to contract-defined interface, if checked unsuccessfully, registration failure; If check successfully, succeed in registration; After succeeding in registration, package base is put into the description document of contract-defined interface in contract-defined interface storehouse; In the time detecting the validity of description document of contract-defined interface: whether first need to detect it is an XML document, then analyzing XML file check whether it meets module requirement, the parsing of XML document herein adopts DOM mode to realize.
The digital digest that C, pedestal private key provide detection components carries out digital signature, and this digital signature and pedestal digital certificate are returned to detection components, and detection components is all preserved each digital signature and pedestal digital certificate; Described digital signature method is as follows: adopt RSA PKCS1 mode to treat signature numeral and fill, then utilize pedestal private key to adopt RSA personal key algorithm to be encrypted the result after filling, this encrypted result is digital signature value.
D, start detection assembly, detection components is connected with detection components, detection components sends digital digest value and the pedestal digital signature of detection components to package base, package base checks whether this digest value was registered in system, if the description document of contract-defined interface is imperfect or form is wrong, return to registration failure; If succeeded in registration, package base should be tested and detection components Direct Communication UNICOM; When described digital signature checked legitimacy, first utilize pedestal certificate to adopt RSA PKI decipherment algorithm to be decrypted digital signature value, then remove its PKCS1 and fill.
After E, communication UNICOM, detection components is submitted digital signature to, and whether package base utilizes pedestal credentials check digital signature legal, if legal, package base and detection components connect, and is connected with this detection components communication if do not conform to rule disconnection;
F, testing staff describe the detected parameters of this detection components of document configuration according to interface contract, and send to detection components by package base and communication bus;
G, testing staff initiate test instruction to package base, and package base utilizes communication bus to test to detection components, and detection components sends testing result and log information to package base after detecting;
H, package base check result and log information, utilize pedestal private key to carry out digital signature to ensure testing result integrality to the result detecting, and then testing result put in database.
Described safety detecting system comprises multiple detection components, for the package base that detection components is managed and the supervisor console that system is managed and controlled, each detection components tool all has corresponding contract-defined interface, also comprise the communication bus communicating for detection of between assembly and package base, and the database of using for store test data, described multiple detection components are connected with package base by communication bus respectively, and described package base is connected with database by supervisor console.
As shown in Figure 1, for detection of the package base of assembly management, it is mainly by component register module, assembly operating control module, three, contract-defined interface storehouse module composition, component register module is for detection of component register and examination, assembly operating control module is for detection of component detection parameter configuration, the core works such as testing process control and testing result collection, contract-defined interface storehouse is the description document depository of a contract-defined interface, in real time for each detection components is analyzed a file with detection components ID name, in each file, store the information such as description document and relevant configuration of contract-defined interface.Described each detection components must be registered on pedestal, and provide corresponding contract-defined interface, the contract-defined interface that package base utilizes detection components to provide, can manage and control the operation of certain detection components, and can obtain the information such as test result and daily record;
The described communication bus communicating for detection of assembly and package base communicates by the SOAP interface of the standard based on XML, in each communication data packets, all comprise a session identification, be used for carrying out transaction operation and session control, session timeout mechanism is also provided simultaneously, in the time that assembly does not have communication for a long time, session stops automatically, discharges this Session Resources.
Described based on supervisor console, tester can manage work to whole embedded-type security detection platform, and tester can set up test event, writes test case, records testing result, carry out log recording and statistical study etc.; Supervisor console is mainly made up of user role administration module, test item and case management module, testing result administration module and statistics and log pattern.User role administration module adopts the way to manage based on role to realize, and for every user assignment, one or more roles carry out control of authority, and basic role is divided into system manager, detection person, auditor etc.; Test item and case management module manage whole testing process, need model project before detection, and then typing detects use-case, the Back ground Informations such as each detection use-case inclusion test content, priority, state, time, remarks, responsible person; Testing result administration module is unified to collect and record to the result of artificial and component detection, and supports statistics and query function, facilitates the evaluation of testing staff to whole detection effect by generating statistical report form; Statistics is mainly carried out record to critical event in system and testing process with log pattern, is convenient to auditor audits by statistical.
The description document of described contract-defined interface is provided by detection components developer, it has described the form of package base and the transmitting-receiving of detection components Interworking Data, and the document main contents comprise: assembly Back ground Information, address, configuration parameter information, steering order data layout, examining report descriptor; The digital digest value of described detection components executable file, adopts SHA1 digital digest algorithm to carry out digital digest computing to executable file and completes.
In described step H, package base check result and log information comprise that whether package base checking testing result is complete and whether its form is effective.
The present invention is based on the design of componentization, make detection system there is better extendability and compatibility, each testing tool and test item can be made to assembly, facilitate expansion, by the SOAP bus communication mode based on cross-platform of standard, system can be connected with the assembly of different language, different platform instrument simultaneously; Further by integrated different detection components, for testing staff provides a unified detection terrace at entrance, testing staff not only can carry out unified management to test item, use-case, can also unify detection components data layout and detect use-pattern, facilitating the control of testing staff to testing process and the analysis of data.The present invention further authenticates detection components by digital certificate and digital signature technology; prevent the access of illegal assembly; guarantee the credibility of testing process and result, utilize digital signature to protect testing result simultaneously, guaranteed that testing result can be by people for not distorting.
Claims (10)
1. the embedded device safety detection method based on componentization, is characterized in that: comprise following step:
A, first carry out safety detecting system initialization, utilize package base to generate the pedestal digital certificate and the pedestal private key that use for digital signature, pedestal private key utilizes keeper's password to be encrypted storage;
B, each detection components need to register to package base before using for the first time; The concrete steps of registration are as follows: first detection components connecting communication bus, secondly version number, the digital digest value of detection components executable file and the description document of contract-defined interface of detection components are provided to package base, last component pedestal carries out Correctness checking to contract-defined interface, if checked unsuccessfully, registration failure; If check successfully, succeed in registration; After succeeding in registration, package base is put into the description document of contract-defined interface in contract-defined interface storehouse;
The digital digest that C, pedestal private key provide detection components carries out digital signature, and this digital signature and pedestal digital certificate are returned to detection components, and detection components is all preserved each digital signature and pedestal digital certificate;
D, start detection assembly, detection components is connected with package base, detection components sends digital digest value and the pedestal digital signature of detection components to package base, package base checks whether this digest value was registered in system: if the description document of contract-defined interface is imperfect or form is wrong, return to registration failure; If the description document of contract-defined interface is complete or form does not have mistake, succeed in registration; Package base and detection components are directly carried out communication UNICOM;
After E, communication UNICOM, detection components is submitted digital signature to, and whether package base utilizes pedestal credentials check digital signature legal, if legal, package base and detection components connect, and is connected with this detection components communication otherwise disconnect;
F, testing staff describe the detected parameters of this detection components of document configuration according to interface contract, and send to detection components by package base and communication bus;
G, testing staff initiate test instruction to package base, and package base utilizes communication bus to test to detection components, and detection components sends testing result and log information to package base after detecting;
H, package base check result and log information, utilize pedestal private key to carry out digital signature to ensure testing result integrality to the result detecting, and then testing result put in database.
2. the embedded device safety detection method based on componentization according to claim 1, it is characterized in that: described safety detecting system comprises multiple detection components, for the package base that detection components is managed and the supervisor console that system is managed and controlled, each detection components all has corresponding contract-defined interface description document; Also comprise the communication bus communicating for detection of between assembly and package base, and the database of using for store test data, described multiple detection components are connected with package base by communication bus respectively, and described package base is connected with database by supervisor console.
3. the embedded device safety detection method based on componentization according to claim 2, it is characterized in that: described each detection components must be registered on pedestal, and provide corresponding contract-defined interface, the contract-defined interface that package base utilizes detection components to provide, can the operation of certain detection components be managed and be controlled, and can obtain test result and log information.
4. the embedded device safety detection method based on componentization according to claim 3, it is characterized in that: the described communication bus communicating for detection of assembly and package base communicates by the SOAP interface of the standard based on XML, supports affairs and session.
5. the embedded device safety detection method based on componentization according to claim 4, is characterized in that: described supervisor console is mainly made up of user role administration module, test item and case management module, testing result administration module, statistics and log pattern; Tester can manage work to whole embedded-type security detection platform, and tester sets up test event, writes test case, records testing result, carries out log recording and statistical study.
6. the embedded device safety detection method based on componentization according to claim 5, is characterized in that: the description document of described contract-defined interface comprises assembly Back ground Information, address, configuration parameter information, steering order data layout and examining report descriptor.
7. the embedded device safety detection method based on componentization according to claim 6, is characterized in that: in described step H, package base check result and log information comprise that whether package base checking testing result is complete and whether its form is effective.
8. the embedded device safety detection method based on componentization according to claim 7, is characterized in that: described database is MySql database, and it can provide the memory function that detects data.
9. the embedded device safety detection method based on componentization according to claim 7, is characterized in that: described database is Oralce database, for being suitable for the more situation of test event.
10. the embedded device safety detection method based on componentization according to claim 8 or claim 9, is characterized in that: the digital certificate of pedestal described in steps A and pedestal private key adopt RSA public key algorithm to realize, and key length is not less than 2048; Described pedestal private key adopts administrator password's encryption method, be specially: first utilize SHA1 digital digest algorithm to carry out computing to administrator password, get front 16 bytes of result of calculation as key, utilize aes algorithm to be encrypted this pedestal private key, obtain the pedestal private key ciphertext after encrypting, in the time using private key, utilize aes algorithm to the close file decryption of pedestal private key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410132944.4A CN103902453B (en) | 2014-04-03 | 2014-04-03 | A kind of embedded device safety detection method of Component-Based Development |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410132944.4A CN103902453B (en) | 2014-04-03 | 2014-04-03 | A kind of embedded device safety detection method of Component-Based Development |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103902453A true CN103902453A (en) | 2014-07-02 |
| CN103902453B CN103902453B (en) | 2016-07-13 |
Family
ID=50993788
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410132944.4A Active CN103902453B (en) | 2014-04-03 | 2014-04-03 | A kind of embedded device safety detection method of Component-Based Development |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103902453B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107977311A (en) * | 2017-11-15 | 2018-05-01 | 中国电力科学研究院有限公司 | A kind of automatic method and system for carrying out distribution terminal information security detection |
| CN108804882A (en) * | 2018-06-11 | 2018-11-13 | 北京北信源信息安全技术有限公司 | A kind of copyrighted software detection process method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6453417B1 (en) * | 1993-05-12 | 2002-09-17 | Usar Systems, Inc. | Microcontroller with secure signature extraction |
| CN102799819A (en) * | 2012-07-04 | 2012-11-28 | 北京京航计算通讯研究所 | Embedded software safety protection system |
| CN103544660A (en) * | 2013-10-30 | 2014-01-29 | 国家电网公司 | Method for safety testing before online implementation of electric power information system |
-
2014
- 2014-04-03 CN CN201410132944.4A patent/CN103902453B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6453417B1 (en) * | 1993-05-12 | 2002-09-17 | Usar Systems, Inc. | Microcontroller with secure signature extraction |
| CN102799819A (en) * | 2012-07-04 | 2012-11-28 | 北京京航计算通讯研究所 | Embedded software safety protection system |
| CN103544660A (en) * | 2013-10-30 | 2014-01-29 | 国家电网公司 | Method for safety testing before online implementation of electric power information system |
Non-Patent Citations (1)
| Title |
|---|
| 张威等: "电网智能终端中嵌入式软件系统的测试", 《重庆理工大学学报(自然科学)》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107977311A (en) * | 2017-11-15 | 2018-05-01 | 中国电力科学研究院有限公司 | A kind of automatic method and system for carrying out distribution terminal information security detection |
| CN108804882A (en) * | 2018-06-11 | 2018-11-13 | 北京北信源信息安全技术有限公司 | A kind of copyrighted software detection process method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103902453B (en) | 2016-07-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103577748B (en) | Dynamic measuring method based on dependable computing and management system | |
| CN101834860B (en) | Method for remote dynamic verification on integrality of client software | |
| CN106687980B (en) | Management program and virtual machine protection | |
| CN112217835B (en) | Message data processing method and device, server and terminal equipment | |
| Gul et al. | Cloud computing security auditing | |
| CN103038745A (en) | Extending an integrity measurement | |
| CN101977183B (en) | High reliable digital content service method applicable to multiclass terminal equipment | |
| CN105099705B (en) | A kind of safety communicating method and its system based on usb protocol | |
| CN101739622A (en) | Trusted payment computer system | |
| CN109828924A (en) | Test method, device and calculating equipment and medium | |
| WO2018162060A1 (en) | Methods and devices for attesting an integrity of a virtual machine | |
| CN106603488A (en) | Safety system based on power grid statistical data searching method | |
| CN109309645A (en) | A kind of software distribution security guard method | |
| CN107133512A (en) | POS terminal control method and device | |
| CN104506480A (en) | Cross-domain access control method and system based on marking and auditing combination | |
| US9692641B2 (en) | Network connecting method and electronic device | |
| CN103902453B (en) | A kind of embedded device safety detection method of Component-Based Development | |
| CN105404796A (en) | JavaScript source file protection method and apparatus | |
| CN102571810B (en) | Dynamic password authentication method based on hardware digital certificate carrier and dynamic password authentication system thereof | |
| CN116074843B (en) | Zero trust security trusted audit method for 5G dual-domain private network | |
| CN105790935A (en) | Independent-software-and-hardware-technology-based trusted authentication server | |
| CN102592101A (en) | Method and system for protecting LED display management software safety | |
| CN108171078A (en) | A kind of data security method and device towards third-party cloud platform evaluation system | |
| CN101739623A (en) | Trusted payment computer system | |
| Ochani et al. | Security issues in cloud computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |